An informal Workshop on IT Security Management was organised by OECD and held on 19-20
April 2001 in Paris at OECD headquarters. IT security management is a particularly
relevant topic in view of the growing reliance of the OECD and Member country
administrations on the Internet for email and many other information services, and the
significant and increasing risk of exposure to external computer threats - on data
integrity, information availability and privacy, and overall network security.

There were over sixty participants with representation from nineteen OECD Member
countries and eleven international organisations.

The Workshop focused on the need for expanding electronic communications in support of
international co-operation; issues of security of information networks among national
agencies and international organisations; the current state and trends in external IT
security systems and procedures; and resources and organisational structures devoted to IT
security. Participants had a unique opportunity to draw lessons from recent computer virus
and other "cyber" attacks, share experiences and ideas on emerging policies,
standards and "best practices", and reflect on possible steps for more
co-operative action on external security.

The event was judged timely, as international co-operation increasingly relies on
electronic networks and organisations need to develop new approaches to external IT
security in order to reinforce trust and confidence against the ever-increasing
"cyber" threat.

Workshop Sessions

Pierre-Dominique Schmidt, Head of OECDs Executive Directorate, welcomed
participants and along with Guido Maccari, Head of Information Technology and Network
Services, officially opened the Workshop,

The Workshop included four sessions - led by senior IT officials from the Irish
Statistical Office, the Austrian Chancellery, the World Bank and OECD - and nine
presentations followed by discussion. Two of the presentations were made by selected IT
private sector security firms (SITA, Network Associates).

Participants provided an overview of the IT architecture and security infrastructure in
their respective organisations.

Workshop Summary

IT Security is part of Information Management Policy

Participants agreed that information, including its systems and infrastructure, should
be a managed corporate resource to support the business objectives throughout its life
cycle. Information should be protected to ensure its confidentiality, integrity,
availability and accessibility, as required.

A "best practice" approach to IT security management should include
fundamental elements:

The standard BS 7799 / ISO 17799 was cited by a number of participants as a valuable
reference specification for information security management systems.

Facilitate access to information

It was agreed that a significant objective of improved security is to facilitate access
to and sharing of information that should be shared, not to hide it. Safeguarding key and
confidential corporate information which should not be shared, is the main challenge to be
addressed by an appropriate IT security policy. Because information security tools are
limited and the stakes can be high, organisations often resort to safeguarding everything
and denying all access. A combination of better tools -- policies and technology -- can
enable information to be shared more easily.

There is also a need to find the appropriate balance between IT and other forms of
security. It will not help to implement elaborate electronic protection from external
cyber threats, without sufficient attention being paid to other avenues for obtaining or
tampering with the same information. Threats from within still represent the greatest
security risk, whether physical or electronic. If the physical security of buildings is
weak, for example, then no amount of electronic security can prevent someone from walking
into a building and taking paper documents. Therefore the decision on IT security
investments, should be in balance with the other types of protection, as well as the
culture of the organisation.

What are we trying to protect ?

Participants recognised that the threat to content - tampering with documents,
databases, emails - is a potential problem, but does not have major consequences to key
operations, as information can be easily restored. Solutions to counter threats to content
have not yet been implemented by most organisations, mainly because of a lack of clear
classification of information and authorisation policies that would accompany IT
developments. In this regard a partnership must exist between the "business"
units of an organisation and the ICT department to assess and decide what information
needs to be available and to whom. The alternative may be a classical model such as:
"staff member can see everything, and no-one else can see anything".

Whom are we trying to protect ?

A balance should be found to the tendency of applying different access control
standards to staff onsite as opposed to people working from "elsewhere". It
would be desirable to provide staff on mission or working from home with the same access
as from their offices. Similarly, there are frequently business partners to whom more
access to information should be granted -- but which is not because they are "outside
the perimeter". The emphasis should be less on trying to keep "outsiders"
outside, and more on enabling the right people to get access to the right information,
wherever they are. Meeting this connectivity requirement is a significant challenge faced
by all participants.

Internet, software and hardware are often part of the problem

Every participating agency has come under external cyber threat in the last year or so,
mainly from Internet. The overwhelming majority suffered serious disruption of service at
least once. "Denial of Service" attacks and the three infamous computer viruses
(I Love You, Melissa and Kournikova) were cited as the most common causes of disruption.
The motivation behind most of the Internet-originated attacks on government sites is
political (e.g., anti-globalisation) and must be taken very seriously. Most participant
organisations are subjected daily to multiple attempted security breaches. Also, due to
the worldwide popularity of Microsoft, MS-based systems are the most common target of
computer hackers and viruses. Weaknesses in software upgrades also make it attractive for
hackers to disclose and profit from them. The rapid rise (and fall) of new networking
devices such as PDAs, UTMS/WAP, mobile telephones, etc., add to the complexity of managing
sources of threat.

Senior management and computer users awareness of the cyber threat

Most organisations reported an increase in the level of senior management awareness of
the threat and a recognition that IT security is a corporate managerial issue, and not
simply an IT technical matter. Heightened level of awareness and interest in IT security
frequently followed a serious disruption of services in the organisation.

Nonetheless there was broad concern that the level of awareness and attention to IT
security policies and practices by computer users was generally inadequate. It was agreed
that best IT security practice must start with every individual at the screen. It was
noted that home users have been found to have the poorest PC security practices.

Quality and continuity of efforts and dialog in the area of "user education"
need to be improved, at all levels. However, when setting up technology to achieve IT
security, it is important to understand what the business really wants and/or needs. As
working staff frequently have an innate sense of what needs to be protected (and what does
not), their input is important even though they may need assistance to be able to
articulate good rules for this.

Organisation of IT Security Management

For most organisations, the information business is a 7x24 hours operation (e.g.,
Internet, Embassies, Centres and Regional offices) which requires extra vigilance and an
active programme to counter security threats. However, in most instances, there are
insufficient staff resources to monitor and intervene rapidly around the clock.

Also, a uniform organisational structure to address IT security did not emerge. In many
organisations, responsibility for IT security has traditionally been spread across several
technical areas in the ICT department. More recently, approximately half of the
participant organisations have created a Security Group, headed by a Security Officer and
consisting of one or more specialists reporting to the head of ICT. In a few organisations
the Security Group is independent of the ICT department. Regardless of its location, it
was generally agreed that the Security Group should be separate and independent from
development and operations.

Many organisations are outsourcing, or considering outsourcing some or all elements of
IT security detection and protection. Firewall management, intrusion detection and
computer virus detection are the prime candidates for outsourcing. Nonetheless, budgetary
constraints have made it difficult to allocate adequate resources to vigorously combat
security threats, with most ICT departments instead focusing on minimising potential for
damage. While difficult to define and quantify all resources devoted to IT security, most
participants estimate that less than 5 % of their IT operational budget is devoted to IT
security.

Emerging Best Practices

Many best practices are emerging, and are being adopted by most participant
organisations to combat external threats, including:

Establishment of demilitarised zones (DMZ) with installation
of multi-layer firewalls at all external points of communications

For secure communications many organisations have implemented solutions based VPNs on
private networks, and the Public Key Infrastructure. Concerning the latter,
interoperability of digital certificates is a significant impediment at the present time.
It was noted that biometrics identification systems, while appropriate in some situations
do not, as of yet, constitute a strong authentication solution.

The widespread use of laptop computers and the high incidence of loss or theft
represent a significant security risk. To counter this threat, the practice adopted by
many organisations is to encrypt all data stored on laptops. It was recognised, however,
that this created an overhead, which could be particularly noticeable in applications such
as Computer-Assisted Personal Interviewing, where information is gathered by statistical
office interviewers equipped with laptop computers.

Participants considered that the rapidly evolving use of mobile devices such as: PDAs,
mobile telephones, and increased teleworking are major challenges that further add to the
complexity of managing IT security.

Opportunities for co-operative action

Most participants considered the workshop of great value to them and to their
organisations. They recommended that similar intergovernmental workshops on ICT management
in the public service be held again, as the need arises. A number of possible initiatives
were proposed which, through co-operation and sharing of information, could strengthen IT
security in governments and benefit all participating organisations. These include:

IT Security Policy - participant organisations
which have, or are preparing, a policy governing IT security, would share this information
with other participants

Classification of information - participant
organisations would provide a copy of their current classification standards to other
participants

Risk Assessment - organisations which have
completed an IT risk assessment would share information on their experience with others

Cost of IT security - participants would share
information on their experience and cost implications for: